Firefox 40 Features Updates, Patches, Including One for Stagefright

Mozilla today released its Firefox 40 open-source Web browser, providing Windows, Mac, Linux and Android users with updated features as well as multiple patches across 14 security advisories.
The biggest visual change in Firefox 40, however, is only going to be seen by Windows 10 users, which gets a new look to integrate into Microsoft's new operating system. Users on Linux will now benefit from improved scrolling and graphics, which is an extension of Mozilla's Project Silk that debuted for Mac OS X users with Firefox 39 in July.
From a security hardening perspective, Firefox 40 now provides users with improved malware protection.
"Firefox 40 now issues a warning if you visit a page known to contain deceptive software that can make undesirable changes to your computer," Francois Marier, security and privacy engineer at Mozilla, wrote in a blog post.

The deceptive software identification comes to Firefox 40 by way of improvements in the Google Safe Browsing API. Firefox has been integrating Google's Safe Browsing technology since 2006 with Firefox 2.0.

Mozilla is now also beginning to roll out improvements to securing third-party add-ons with a process in place by which Mozilla will certify add-ons. Though in Firefox 40, Mozilla isn't yet enforcing the add-on certification for end users. The current plan is that for a future Firefox release, non-certified add-ons will be blocked by default.
"Today, you will start seeing warnings next to unsigned add-ons in Firefox, but no add-ons will be automatically disabled," Mozilla stated in its Firefox 40 release notes. "These warnings will inform you about add-ons that have not been certified by Mozilla and we're working with add-on developers to help them meet our standards and make add-ons safer for you."
Mozilla is also issuing 14 security advisories alongside the Firefox 40 release. Four of those 14 advisories are rated by Mozilla as being critical. One of the critical advisories is labeled by Mozilla as MFSA-2015-79 and details miscellaneous memory safety hazards.
In addition, one of the critical advisories fixes a flaw in the libstagefright media library. Libstagefright was also recently implicated in a major vulnerability in Android, which has already been patched by Google. The Stagefright vulnerability in Android was reported to Google by security researchers at Zimperium. For Firefox, there are actually four different libstagefright issues reported by four different security researchers including an anonymous researcher working with HP's Zero Day Initiative, independent security researcher Massimiliano Tomassoli, a security researcher only identified as "security researcher laf.intel" and Mozilla security engineer Tyson Smith.
"Each of these reported issues result in potentially exploitable crashes that could allow for remote code execution," Mozilla warned in its advisory.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.